[Pdns-announce] PowerDNS Recursor Security Release 3.6.1

bert hubert bert.hubert at netherlabs.nl
Wed Sep 10 08:02:23 UTC 2014 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi everybody,

We regret that we have to announce a PowerDNS Recursor security release:

Issue:	A specific sequence of packets can crash PowerDNS Recursor 3.6.0
	remotely
CVE:	CVE-2014-3614
Affected: 
	All deployments of PowerDNS Recursor 3.6.0 
Not Affected: 
	PowerDNS Authoritative Server, PowerDNS Recursor versions other
	than 3.6.0 
Workaround: 
	1) Only users from netmasks specified in 'allow-from' can cause
	   the crash 
	2) add automated restarting
Remediation: 
	Upgrade 3.6.1 using the packages we provided, or apply our minimal patch
	and recompile
	Distributions shipping 3.6.0 have been notified last week and will be
	providing updates very soon

Recently, we've discovered that PowerDNS Recursor 3.6.0 (but NOT
earlier) can crash when exposed to a specific sequence of malformed packets. 
This sequence happened spontaneously with one of our largest deployments,
and the packets did not appear to have a malicious origin.

Yet, this crash can be triggered remotely, leading to a denial of
service attack.  There appears to be no way to use this crash for system
compromise or stack overflow.

Fixed packages and sources are available from: https://www.powerdns.com/downloads.html

In addition, if you want to apply a minimal fix, it can be found on:
https://xs.powerdns.com/tmp/minipatch-3.6.1

Finally, distributions that ship PowerDNS Recursor 3.6.0 have been notified
and will be providing updated packages soon.

As for workarounds, only clients in allow-from are able to trigger the
crash, so this should be limited to your userbase.

Secondly, https://github.com/PowerDNS/pdns/blob/master/contrib/upstart-recursor.conf
and https://github.com/PowerDNS/pdns/blob/master/contrib/systemd-pdns-recursor.service
can be used to enable Upstart and Systemd to restart the PowerDNS Recursor
in case of a crash.

In addition to various fixes related to this potential crash, 3.6.1 fixes a
few minor issues and adds a debugging feature:

* We could not encode IPv6 AAAA records that mapped to IPv4 addresses in some
  cases (:ffff.1.2.3.4). Fixed in commit c90fcbd , closing ticket 1663.

* Improve systemd startup timing with respect to network availability (commit
  cf86c6a), thanks to Morten Stevens.

* Realtime telemetry can now be enabled at runtime, for example with
  'rec_control carbon-server 82.94.213.34 ourname1234'. This ties in to our
  existing carbon-server and carbon-ourname settings, but now at runtime. This
  specific invocation will make your stats appear automatically on our public
  telemetry server.


We want to thank the dedicated PowerDNS users that spent months
investigating the rare crashes they observed. Without such an engaged
community, we would never be able to chase down issues like these.

If you have any questions regarding this update, or need help upgrading,
pleae contact us here or through https://www.powerdns.com/contact.html

	Bert

- -- 
PowerDNS Website: http://www.powerdns.com/
Contact us by phone on +31-15-7850372
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAlQQBY8ACgkQHF7pkNLnFXUeWACgqyD19AIsGG/tQVQqU/iHUQNX
3kQAoKWFsVC4ZV4+0Yl4QDy6ntUFM7Xz
=wv1m
-----END PGP SIGNATURE-----

More information about the Pdns-announce mailing list